Well, we didn't explicitly address this under Interceptor, but covered it under the general introduction to Security.

Ganesh Prasad

"Most of the time, developers spend time and effort building authentication and access control subsystems, even though these features are ostensibly part of the J2EE specification. The reason for this wheel reinvention is that the standard J2EE security mechanisms are often inadequate for the purposes of many applications.

[...]

Similarly, authorization tags in EJB deployment descriptors control access to components, but are not fine-grained enough to enforce, for example, monetary limits on transactions, an essential requirement of many financial applications.

In other words, most attempts to reinvent the security wheel at the application level are aimed at going beyond the coarse-grained, black-or-white logic provided by the J2EE container."